Research at Oxford University discovered that many companies tend to invest heavily in protective cybersecurity measures but less so in detection and response capabilities. We wrote in an article: “Every company had made prior investments to protect against cyber attacks but to a lesser extent to plan cyber-responses.” But we didn’t study the underlying reasons for that.
It turns out that there is a cognitive element to that. A recent academic study performed laboratory experiments to find out the reasons for inefficiencies in cybersecurity spending. In those experiments, decision-makers had to play economic games that featured typical characteristics of cybersecurity problems. The study found several cognitive biases in investment decisions.
Summary:
- Similar to other domains that involve risk (such as healthcare), investing in prevention has traditionally accounted for the lion’s share of spending, taking as much as 80% of budgets.
- But cyber attacks are almost impossible to prevent, which makes investment in detection, response, and recovery more important
- Despite recent movement towards spending more on detection and response, evidence suggests security spending is still biased towards prevention
- But why is that? To investigate, a group of academics set up laboratory experiments that use economic games
Methodology:
- Participants were given real money they could keep but had to protect during an experimental task that consisted of three economic games. In the first game, participants could invest in a preventive product; in the second game, they could invest in detection and response products; and in the third game they could invest in a mix of the two.
- These three games were matched with a “productivity function”, which serves to measure the effectiveness of a security product
Results:
- Interestingly, all participants tended to overinvest in security measures, that is, invested more than what would have been optimal
- Participants also invested in mitigating small, immaterial risks, although investment would not have been economically warranted.
- Lastly, participants tended to invest 30%–60% more in prevention relative to detection and response, giving rise to what the authors coin a “prevention bias”. That tendency to overinvest in prevention tended to increase as risk increased.
Why does this matter for businesses?
- The study suggests that overinvestment in cybersecurity prevention stems from cognitive biases – the systematic pattern of deviation from rationality in judgement.
- Many executives ask themselves whether they are spending the right amount on the right things. This controlled experiment suggests that they probably aren’t – although, admittedly, the prescriptive value of the study is limited.
